Hi Sören,

I agree on Gentoo's initd being overly complicated. That is why I stripped out the legacy functions and merged it all into a single file. This patch is basically doing as you suggest:

`nft -f ${some_configuration_file}` on start

`nft ruleset flush` would be the equivalent of this patch's "clear" function. You also need the save function which is `nft list ruleset > ${NFTABLES_SAVE}`. This patch checks the return code of `nft list ruleset` before overwriting the existing save file, which I think is a safer approach. Just in case.

The panic function while lengthy is atomic when loaded by nft. I'm not sure how useful having this function is, but I carried it over from Gentoo's initd.

I also like having the checkkernel and checkconfig functions in place, as they give the user pretty clear guidance on whats wrong with their configuration when they fail.

One thing we should change, I copied over the #!/sbin/runscript and didn't change it to #!/sbin/openrc-run.

Thanks,

Ben

On Jan 09, 2016, at 08:35 AM, Sören Tempel <soeren@soeren-tempel.net> wrote:

On 08.01.16, Ben Allen wrote:
Updating main/nftables init script. Based on the newer Gentoo init
script:
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-firewall/nftables/files/nftables.init-r2.
Merged nftables.sh from Gentoo's version into the init script itself,
and removed the legacy functionality. Adding descriptions for each
action as well.

I was actually considering to write a custom service for nftables since
I believe that the Gentoo service is too complicated. Simply invoking
`nft -f ${some_configuration_file}` on start and `nft flush ruleset`
should be good enough, shouldn't it?

Sören.